-
Title
Privilege Manager for Unix Hotfix 6.0.0.061 -
Description
--------------------------------------------------------------------------------
Privilege Manager for Unix Hotfix 6.0.0.061 Release Notes
--------------------------------------------------------------------------------
This is a Maintenance Fix Release for Privilege Manager for Unix 6.0.0.061.
Below is a complete list of all included changes to the Privilege Manager for Unix product since the
Privilege Manager for Unix 6.0 release.
Fixes are cumulative unless otherwise noted.
--------------------------------------------------------------------------------
Defects Fixed in Privilege Manager for Unix Hotfix 6.0.0.061
--------------------------------------------------------------------------------
Please see attachment 'PrivilegeManager4UnixHotfix_600_061_Readme' below for release notes. -
Resolution
RESOLUTION:
Please download and install Hotfix, Privilege Manager for Unix 6.0.0.061 for Solution 133824 by Clicking Here for server policy packages.
Client packages can be downloaded Here
The following is a list of issues resolved in this hotfix.Resolved Issue Issue ID Two security vulnerabilities (CVE-2017-6553 - pmmasterd buffer overflow & CVE-2017-6554 - pmmasterd arbitrary file write) were addressed, by which a remote attacker could gain control of the policy server. Validation code has been added and obsolete code removed to secure the pmmasterd daemon against these vulnerabilities. 0006556 The pmlogsrvd sometimes would not respond to terminate signal (kill -15) leaving it in a loop doing nothing and consuming CPU resources. 0006553 The pmpolicy program will filter out double quote (“) characters from commit messages to prevent issues in MCU when generating the “policy changes” report. 0006546 The pmlogsrvd will periodically remove events from the event cache that cannot be processed. 0006537 When the policy server is very busy, the mktemp() policy function may use an malformed filename causing an error message similar to the following when opening the iolog file:pmmasterd6.0.0 (040):3361.01 open iolog log: : Invalid argumentThe pmmasterd now protects against this by retrying to generate the filename and open the iolog file if a failure occurs.0006548 Fixed memory leak and modified the evcache processing to improve memory usage.Two new pm.settings values have been introduced:EventQueueProcessLimit – Limits the number of cached events that will be processed at a time (to limit memory usage). Default value is 0 (no limit)EventQueueFlush – Interval in minutes in which the pmlogsrvd process reopens the eventlog database, thereby flushing the data used in memory. Default is 0 (the database is kept open while the service is running).0006547 Using the getstringpasswd() function would crash pmmasterd and cause the session to fail. This has now been fixed. 0006544 pmlogsearch will now return partial results if secondary policy servers are unavailable instead of returning an error, so that MCU can display the partial results. 0006542 Several settings were not able to be configured via the -d option in pmjoin and pmsrvconfig. All valid settings are now recognized by the -d option. 0006540 On Linux platforms fixed a stdout issue for print() statements when running multiple commands (one of which being pmrun) via ssh. 0006536 Changes to the runhost variable within the policy were being reset, causing the changes to be ignored. 0006531
Applicability of this hotfix
Products affected by this hotfix:Product Name Version Privilege Manager for Unix 6.0.0 versions prior to 6.0.0 (061) To install this hotfix:
Before applying this hotfix, ensure you have an appropriate backup of your machine.
Depending on your platform's package management software, you may be required to remove previous versions to upgrade to a newer version.
Copy the installation files to temporary directory.
Change directory to the package location and run the platform specific package install program to install the desired package.
For example, on a Redhat based x86_64 system, you may use rpm --upgrade to upgrade the server package:
rpm --upgrade qpm-server-6.0.0-50-x86_64.rpmDetermining if This Hotfix Is Installed
To determine if this hotfix is installed:
Verify the build number by running "pmrun -v" and "pmlocald -v" (the build number is displayed in parenthesis):
/opt/quest/bin/pmrun -v
/opt/quest/sbin/pmlocald -v
Removing This Hotfix
To remove this hotfix:
Use the platform specific package management software to remove the installed package and re-install to the previous installed version.For example, on a Redhat based x86_64 system, you may use the rpm --oldpackage option to rollback the server package:
rpm --upgrade --oldpackage qpm-server_6.0.0-version>-x86_64.rpm(On policy servers only) If reverting to a version prior to 6.0.0 (032), change the pmpolicy service user's shell to a standard UNIX shell (e.g. /bin/bash)
usermod -s /bin/bash pmpolicy